Hallo I've fixed the cron job for libdspam7-drv-mysql, it fixes CVE-2007-6418[0]. Attached is the NMU-diff.
Regards, Adrian
diff -u dspam-3.6.8/debian/libdspam7-drv-mysql.cron.daily dspam-3.6.8/debian/libdspam7-drv-mysql.cron.daily
--- dspam-3.6.8/debian/libdspam7-drv-mysql.cron.daily
+++ dspam-3.6.8/debian/libdspam7-drv-mysql.cron.daily
@@ -5,6 +5,7 @@
DSPAMCONF=/etc/dspam/dspam.conf
MYSQLCONF=/etc/dspam/dspam.d/mysql.conf
PURGE=/usr/share/doc/libdspam7-drv-mysql/purge-4.1.sql
+MYSQLCONF_PASSWD=/var/run/libdspam7-drv-mysql.cron.passwd
if grep -q "^StorageDriver.*mysql_drv.so" $DSPAMCONF; then
if [ -x /usr/bin/mysql ]; then
@@ -13,17 +14,26 @@
MYSQL_DB="`grep "^MySQLDb" $MYSQLCONF | awk '{print $2}'`"
MYSQL_HOST="`grep "^MySQLServer" $MYSQLCONF | awk '{print $2}'`"
+ UMASK_OLD="`umask`"
+ umask 077
+ [ -e "$MYSQLCONF_PASSWD" ] && rm "$MYSQLCONF_PASSWD"
+ echo -e "[client]\npassword=$MYSQL_PASS" > "$MYSQLCONF_PASSWD"
+ umask "$UMASK_OLD"
+
# If host is empty or starting with a / assume it's localhost.
if [ -z "$MYSQL_HOST" ] || [ "${MYSQL_HOST:0:1}" = "/" ]; then
- /usr/bin/mysql --user=$MYSQL_USER --password=$MYSQL_PASS $MYSQL_DB < $PURGE
+ /usr/bin/mysql --defaults-extra-file=$MYSQLCONF_PASSWD --user=$MYSQL_USER $MYSQL_DB < $PURGE
else
if echo "$MYSQL_HOST" | grep "^/" > /dev/null 2>&1 ; then
# Assume it is a socket:
- /usr/bin/mysql --socket=$MYSQL_HOST --user=$MYSQL_USER --password=$MYSQL_PASS $MYSQL_DB < $PURGE
+ /usr/bin/mysql --defaults-extra-file=$MYSQLCONF_PASSWD --socket=$MYSQL_HOST --user=$MYSQL_USER < $PURGE
else
- /usr/bin/mysql --host=$MYSQL_HOST --user=$MYSQL_USER --password=$MYSQL_PASS $MYSQL_DB < $PURGE
+ /usr/bin/mysql --defaults-extra-file=$MYSQLCONF_PASSWD --host=$MYSQL_HOST --user=$MYSQL_USER < $PURGE
fi
fi
+
+ rm "$MYSQLCONF_PASSWD"
+
fi
fi
diff -u dspam-3.6.8/debian/changelog dspam-3.6.8/debian/changelog
--- dspam-3.6.8/debian/changelog
+++ dspam-3.6.8/debian/changelog
@@ -1,3 +1,11 @@
+dspam (3.6.8-5.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Giving the password in libdspam7-drv-mysql cronjob in a file instead of
+ the command line. CVE-2007-6418[0] (Closes: #448519)
+
+ -- Adrian Friedli <[EMAIL PROTECTED]> Sun, 13 Jan 2008 14:59:25 +0100
+
dspam (3.6.8-5) unstable; urgency=high
[Kurt B. Kaiser]
signature.asc
Description: This is a digitally signed message part.

